Chances are, you’ve seen some hair-raising news stories over the past few years about hackers gaining access to smart home devices, using baby monitors and security cameras to spy on users and sometimes even communicate with them. Nest has drawn the most headlines for these types of stories — see exhibits A, B, and C — but that’s mostly because it’s the most popular manufacturer out there. Competitors like SimpliSafe and Ring certainly haven’t been immune, either. Today’s bigger picture is that automated attacks continuously probe consumer IoT (especially routers and cameras) at massive scale, and Mirai-family botnets still conscript vulnerable devices for DDoS and proxy abuse (Cloudflare DDoS insights; ENISA).
Research suggests that these aren’t just sensationalist news stories. There’s no single global registry that tracks “smart home breaches,” so the best indicators come from network and threat telemetry. On residential and communications service provider networks, IoT devices now constitute the largest share of infected endpoints observed, reflecting their outsized role in home compromises (Nokia Threat Intelligence). Large-scale sensors also register hundreds of millions of annual attack attempts targeting consumer IoT, primarily brute-force logins and web-interface exploits against routers and IP cameras/DVRs (Kaspersky Securelist), while EU assessments continue to list IoT botnets among prominent risks (ENISA Threat Landscape).
The good news is that baseline protections are improving and are increasingly enforced by law or labeling: the UK’s PSTI regime has been in force since April 29, 2024 (banning universal default passwords, mandating vulnerability disclosure, and requiring update support transparency), the EU’s radio equipment cybersecurity requirements apply from August 1, 2025, and the U.S. Cyber Trust Mark labeling program is rolling out to signal baseline security to buyers (UK PSTI Act guidance; EU RED cybersecurity requirements; FCC Cyber Trust Mark). Follow the precautions below and you can use smart home devices with far greater confidence.
Why Would Someone Want to Hack Into Your Smart Devices?
There’s no single reason why these attacks occur. Criminal groups continue to assemble DDoS and proxy botnets from vulnerable IoT and home routers, while opportunists and state-backed actors exploit weak credentials and unpatched firmware. Telemetry in 2025 shows record network-layer DDoS activity driven largely by Mirai-variant botnets that conscript cameras, routers, and other connected devices (Cloudflare Q3 2025). Motivations range from flooding targets offline to monetizing residential IP space for anonymity.
While the creepiest stories usually grab the headlines, most attackers aren’t fixated on you personally. Your devices—especially your router—are attractive because they offer uptime, bandwidth, and a foothold to mask criminal activity or to pivot to other endpoints on your network. Compromised home routers and cameras are routinely used as DDoS nodes or residential proxies and can weaken any network segmentation you’ve set up (Cloudflare).
Your device can be used to launch DDoS (distributed denial-of-service) attacks, mine cryptocurrency, act as a proxy, and hide malicious traffic behind your home IP. Mirai-style botnets persist because many legacy devices still expose default/weak credentials or run end-of-life firmware, and attackers automate scanning to enroll them. Recent reports highlight multi-terabit-per-second peaks and continued dominance of IoT-sourced botnets (Cloudflare; ENISA).
That said, while most compromises use your device for botnets or proxying, your accounts and personal data can be at risk when cloud portals or mobile apps are weak, or when attackers pivot from one compromised device to another. EU rules coming into effect place explicit requirements on authentication and protection of personal data in connected products, aiming to reduce these avenues over time (EU RED).
How Your Connected Devices Get Hacked
The most common way to gain access to smart devices isn’t really a “hack” at all: attackers reuse stolen passwords in credential-stuffing campaigns against device portals and mobile apps. Breach investigations show the human element and stolen credentials remain major drivers of compromises, so adding a second factor or passkeys materially reduces risk (Verizon DBIR 2024; Verizon DBIR 2025; Mandiant M‑Trends).
It’s also fairly easy for attackers to get in using factory-set usernames and passwords. Many legacy devices still ship with or retain universal defaults that are trivial to find, and these are banned in some markets today. In the UK, vendors must not use universal default passwords and must disclose how long they’ll provide security updates—good news for buyers, but older devices remain exposed (UK PSTI).
In other cases, the problem is upstream with vendor clouds, APIs, or slow patching. That’s why it’s critical to choose brands that prioritize security baselines: unique per-device credentials, automatic updates, published support periods, and clear vulnerability disclosure channels—principles reflected in international baselines and programs (ETSI EN 303 645; EU RED; U.S. Cyber Trust Mark).
How to Protect Yourself
With all that said, the best way to get hackers out of your home is to never let them in in the first place. Regulatory baselines now help, but your choices and settings matter most: pick products with strong defaults and published update policies, keep firmware current, use unique passwords with MFA/passkeys, and harden your router/Wi‑Fi. Prefer devices that support on‑device processing and end‑to‑end encrypted options to minimize cloud exposure (PSTI; Apple Home/HSV).
Stick to established brands
It’s best to stick to names you recognize when it comes to smart devices—and verify concrete security practices: no universal default passwords, automatic updates, a published minimum support period, and a way to report vulnerabilities. These are now mandated in the UK and increasingly reflected in global schemes and standards (UK PSTI; ETSI EN 303 645; U.S. Cyber Trust Mark). For video products, look for on‑device AI and end‑to‑end encrypted or local‑only options (e.g., Apple’s HomeKit Secure Video analyzes motion on a home hub and stores recordings with E2E encryption; Google’s Nest Cam with Floodlight Pro adds on‑device 3D Motion using radar to reduce false alerts) (Apple HSV; Nest Floodlight Pro).
While companies like Nest and Nokia aren’t invulnerable to hacks, you can be confident that they’ll move quickly if a flaw is exposed. These companies also have thorough security measures like two-factor authentication that eliminate the most common points of access. To see the products we feel confident in, check out our reviews of home security systems, home security cameras, and smart hubs. If you prefer DIY systems with professional monitoring, major options publish clear plan details—SimpliSafe’s Fast Protect plan includes live video verification to reduce false dispatch, Ring Protect Pro includes cellular backup for alarms, Abode offers month‑to‑month pro monitoring, and ADT Self Setup pairs Nest gear with ADT monitoring (SimpliSafe plans; Ring Protect; abode Pro; ADT Self Setup).
Update the device’s software
Regular software updates are among the most effective defenses. Attackers scan for devices running old firmware with known flaws, then use widely available tools to exploit them. Turn on automatic updates wherever possible and replace unsupported/EOL devices, especially routers and cameras (ENISA).
When you purchase a smart device from a well-established brand, it should periodically provide software updates to address security issues. Many products update automatically once enabled. In the UK, vendors must disclose their minimum support period, making it easier to avoid products that won’t be patched long-term; EU requirements applying from August 1, 2025 further raise the bar for secure updates and authentication (PSTI; EU RED).
Use a unique password
Because many takeovers start with reused or default credentials, it’s essential that every device and account use unique, strong credentials—ideally moving to passkeys where supported. Credential stuffing and password reuse remain common on consumer IoT portals, but unique passwords plus MFA/passkeys defeat most automated attempts (DBIR; CISA on phishing‑resistant MFA).
- Using long passwords
- Using random strings of characters
- Spacing out special characters
There are also a number of free password managers out there if you only want to remember one. Modern browsers and managers can alert you if saved credentials appear in known breaches, helping you rotate quickly.
In addition, we recommend using your platform’s built-in breach alerts and enabling passkeys where available; they bind login to the legitimate site and resist phishing. When passkeys aren’t an option, use an authenticator app and avoid reusing passwords (NIST SP 800‑63B; UK NCSC).
Enable two-factor authentication
If your smart device offers two-factor authentication, take advantage of it—and prefer phishing‑resistant options when possible (passkeys or FIDO2 security keys). Breach data shows the human element and stolen credentials drive many compromises; MFA materially reduces account takeover risk, and phishing‑resistant MFA stops modern relay kits that can steal one-time codes (DBIR; Mandiant; CISA; NIST).
Companies increasingly make MFA available across their connected devices because it removes easy wins for attackers using stolen passwords. If stronger factors aren’t an option, use app-based codes or hardened push (with number matching) rather than SMS, which can be undermined by SIM-swap fraud—an issue U.S. regulators addressed with new carrier rules in 2024 (UK NCSC; FCC SIM-swap protections).
Make sure your network is secure
Strong cybersecurity starts with your router. If you’re using an older router that doesn’t support WPA2 (WiFi Protected Access 2) security encryption, it’s time to get a new one. WPA2 has been used on all WiFi hardware since 2006 and is continuously updated with the latest security, authentication, and encryption protections. In practice, replace end‑of‑life models, enable automatic firmware updates, use WPA2 or WPA3 with a strong passphrase, disable remote administration and UPnP if you don’t need them, and change any ISP-provided default credentials on first use. Home/SOHO routers remain high‑value targets for botnets and proxies—hardening them protects everything behind them (Cloudflare).
All of our top picks for wireless routers are WPA2-equipped, so we recommend starting there. Once you have a router you’re comfortable with, make sure the firewall is enabled. You should be able to find instructions for this in the router manual; if you can’t, Lifewire has a great walkthrough of the process here. Finally, remember to change the the default log-in credentials on your router as soon as you start using it. Periodically review the router’s device list for unknown clients, confirm DNS and admin settings haven’t changed, and keep IoT devices off the internet directly—use local control or secure cloud connections where possible (ETSI EN 303 645).
Most of the experts we spoke with also recommended setting up a second WiFi network for your smart devices. “You should plug home automation devices into a network that’s isolated from the network you use for computers, tablets, and phones,” Lesser says. This keeps traffic separate from your general browsing activity, which is more likely to contain sensitive information like banking passwords. Because smart home devices tend to be more vulnerable than PCs or smartphones, this adds an extra layer of security. Some routers are able to set up multiple networks — this guide from Lifewire walks you through the process — but in most cases you’ll need to purchase a second router. Segmenting IoT onto a guest SSID or VLAN aligns with current best practices and limits blast radius if a device is compromised (ENISA).
Use an identity theft protection service
In reality, there’s no panacea for securing your information short of staying offline entirely. If you want even more peace of mind, consider an identity theft protection service. For around $20 per month, these services monitor your credit and personal information and alert you to any suspicious activity. They can also exercise power of attorney to help you efficiently restore your identity in the event that it’s stolen. Just know they don’t prevent identity theft or secure devices; the FTC emphasizes that free credit freezes are the strongest tool to block new‑account fraud, while monitoring helps you detect issues faster. Given that stolen credentials drive many breaches, prioritize MFA/passkeys and strong passwords; use monitoring primarily for alerts and restoration support (FTC guidance; Verizon DBIR 2025; FBI IC3; ITRC).
How to Tell If Your Device Has Been Hacked
Unfortunately, you may never know if your smart home device has been compromised. Attackers often blend in with normal traffic and use devices quietly for botnets or proxies. Practical checks include: reviewing your router’s connected-device list for unknown clients, confirming admin and DNS settings haven’t changed, and ensuring remote administration and UPnP are off unless needed. Because automated probing of consumer IoT is constant, vigilance and timely patching matter (Kaspersky Securelist; Cloudflare).
The biggest red flag for all connected devices — from baby monitors to voice assistants — is slower performance. You might also see unexplained bandwidth spikes or battery draining faster than usual. Compare current data usage to prior months via your ISP portal or router dashboard; unexplained, sustained outbound traffic could indicate compromise.
If you notice anomalies, you can also use BullGuard’s Internet of Things Scanner to check whether any devices appear exposed on Shodan (a search engine for internet‑accessible devices). If anything shows up on the scan, immediately take it offline and check for any software updates. You can also use the site haveibeenpwned.com to find out if your email addresses are associated with any data breaches. Keep in mind there’s no unified incident registry for smart homes; network logs and vendor advisories are your best early indicators (Nokia).
What to Do If Your System Has Been Hacked
If you suspect that your device has been hacked, there are a few things you should do immediately. First, disconnect it from the network. As long as it’s connected, it can participate in botnets or expose your network to further risk. If possible, isolate IoT devices on a guest network so you can quarantine a single SSID without taking down your entire home.
From there, check to see if there are any software updates available online. If there are, installing them could potentially resolve the issue. Searching for vendor advisories and applying the latest firmware often closes known holes quickly. After patching, change passwords and enable MFA or passkeys on any associated cloud accounts (CISA on phishing‑resistant MFA).
If there aren’t any software updates, try changing the passwords or performing factory resets on both the device and WiFi network. Also change your router’s admin credentials, disable remote administration and UPnP if they’re enabled, and replace unsupported or end‑of‑life hardware when vendors no longer provide security updates. For cameras/doorbells, consider enabling end‑to‑end encrypted or local‑only video modes after recovery to minimize exposure (Apple Home/HSV). If the issue stems from a vendor flaw, check the company’s vulnerability disclosure or status pages for fixes; PSTI/ETSI-aligned vendors publish support lifecycles and reporting channels (PSTI; ETSI EN 303 645).
As scary as this stuff sounds, there’s no need to swear off smart homes; you should still feel comfortable using smart devices as long as you follow some best practices. Today’s trends favor safer defaults and more private operation: on‑device intelligence reduces cloud exposure, Matter/Thread enable secure local automations with device attestation, and consumer labels/laws make update support and security practices more transparent (CSA device attestation; U.S. Cyber Trust Mark rules; IEEE 802.11bf Wi‑Fi Sensing). Balance convenience with these protections, and you’ll meaningfully reduce risk while keeping the benefits.
